Audit & SIEM Integration
Control Core records every authorization decision, policy change, admin action, and AI interaction as a structured audit event. Those events can be forwarded to external systems for compliance, monitoring, and security operations.
Technical reference: The full API reference — endpoint paths, request/response schemas, authentication, and code examples — is in the Developer Portal built into your Control Plane. Open
/devdocson your Control Plane URL.
How audit delivery works
The Bouncer enforces decisions at the edge and submits enforcement records to the Control Plane. The Control Plane is the single audit store — it persists every record, applies retention, and fans out to external systems from one place. Your protected applications and Bouncers never connect directly to your SIEM or webhooks.
Bouncer (enforces decision)
│
▼
Control Plane audit store
├── SIEM outbox → Splunk, Sentinel, Elastic, Loki, QRadar, custom
└── Webhook delivery → any HTTPS receiver (HMAC-signed)
Consumption modes
| Mode | Best for |
|---|---|
| SIEM connector | Continuous push to Splunk, Elastic, Grafana Loki, QRadar, Sentinel, or any custom HTTP collector |
| Webhook channel | Near-real-time push to any HTTPS receiver; events are signed with HMAC-SHA256 |
| REST polling | Batch ingestion, custom audit processors, compliance dashboards |
| CSV export | Point-in-time compliance evidence packages; includes policy-change hashes for tamper evidence |
Supported SIEM targets
Splunk · Microsoft Sentinel · IBM QRadar · Elastic / OpenSearch · Grafana Loki · OpenTelemetry collectors · Datadog · any custom HTTP endpoint
AI and integrity event types (Sprint 4 — 2026-06)
The following event types are available in the SIEM outbox and REST audit feed as of the Sprint 4 release. Configure your SIEM parser or index to recognise these types alongside the existing control and system events.
| Event type | Category | Description |
|---|---|---|
AI_TRAFFIC_LOG | AI | Primary per-transaction record for every AI request intercepted by the Bouncer. Includes model, provider, token counts, cost estimate, SHA-256 prompt/response hashes, and latency. |
AI_POLICY_VIOLATION | AI | Emitted when a control blocks an AI transaction. Includes guardrail_trigger_id, guardrail_action, policy_path, and request_id. |
AI_PII_REDACTION | AI | Emitted when a control rewrites (masks) part of an AI response. Includes guardrail_trigger_id and response_hash. |
AI_TOKEN_USAGE | AI | Compatibility alias for AI_TRAFFIC_LOG. Retained for backwards compatibility with existing SIEM filters. Use AI_TRAFFIC_LOG for new rules. |
AUDIT_CHECKPOINT | Integrity | Emitted each time a KMS-signed WORM checkpoint is written. Allows correlation between the live audit stream and stored checkpoints. |
SECRET_STORED | Secrets | A credential was stored in the Control Plane secret store. event_context.secret_id_hash is SHA-256 of the identifier (raw id never logged). |
SECRET_READ | Secrets | A credential was retrieved. |
SECRET_ROTATED | Secrets | A credential was rotated. |
SECRET_DELETED | Secrets | A credential was deleted. |
Full field reference for AI events: AI event catalog.
Hash-chain and WORM checkpoint details: Audit tamper evidence.
Compliance evidence export
The CSV export includes policy-change integrity hashes (prev_policy_hash, new_policy_hash) for every policy-change row, and row_hash / prev_hash for the audit hash chain. This lets compliance teams verify the exact policy state and confirm chain integrity at any point in the review period without relying on logs alone.
Regulation profile presets pre-select the event categories most relevant to common frameworks:
| Profile | Frameworks |
|---|---|
| Finance / Banking | OSFI, FINTRAC, SOC 2, Open Banking |
| Cybersecurity | SEC cyber-disclosure, NIST AI RMF, FedRAMP |
| Privacy / Health | PIPEDA, PHIPA, HIPAA |
Presets are accelerators. Your legal and compliance team remains responsible for final scope and disclosure decisions.
Configure SIEM and webhooks
Both surfaces are configured through the Control Plane UI under Settings → Action Destinations → SIEM (for the SIEM outbox) and Settings → Notifications (for webhook channels). No code required for standard integrations.
For automation and CI/CD pipelines, use the API — see the Developer Portal.
Related guides
- AI event catalog —
AI_TRAFFIC_LOG,AI_POLICY_VIOLATION,AI_PII_REDACTIONfield reference - Audit tamper evidence — hash-chain and WORM checkpoint configuration
- Audit Logs (UI guide) — filters, category toggles, retention, and CSV export from the Control Plane UI
- How logging works — what is captured, retention policy, and log categories
- Audit vs diagnostic logs — compliance records vs troubleshooting traces
- Action destinations — SIEM tab and webhook channel configuration